Doing a password-less ssh connection from known to known machines, while asking for 2 factor authentication from unknown machines.
You can do both together or only do one and not the other.
First install a 2 Factor Authenticator like the one from LastPass
Configure for password-less authentication
Run the following commands on the local-machine. The first is needed only once. If the user is the same on both machines, you do not need to add the user.
ssh-keygen ssh-copy-id user@remote-machine ssh user@remote-machin@admin
You now are able to log in without a password. This is much safer than typing in a password.
This is based on Debian 10.2. It should work on most deb based systems. If you edit the install part to your distro ones (e.g. zypper instead of apt) it should work.
Run the following on the machine where you want the 2FA to be active. This can be the local machine or the remote one after ssh Default settings are used.
su - (or sudo -i) br> apt install libpam-google-authenticator libqrencode3 br> echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd br> sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config br> service ssh restart br> exit br> google-authenticator -tfD -w 17 -r 3 -R 30 -Q UTF8 br>
Open the App on your phone and scan the QRcode from the terminal or the URL that is given. Now you need to restart the ssh server. As root or with root rights:
service sshd restart
You are now able to connect to a machine using ssh and no password from the machine and user that has a key. From any other machine, you will be asked for an authentication. Use your phone for that.
Extra things that you can do
In sshd_conf you can disallow the root to login with ” PermitRootLogin no” and allow only a specific user to login, with “AllowUsers user_name”.
You can copy the .google_authenticator on the remote_machine to other places where google authenticator is installed, so you need only one key.
Use the Authenticator for Amazon and other services as well for e.g. you website.